package top.zaixia.game.deployment.config

import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.http.SessionCreationPolicy
import org.springframework.security.web.SecurityFilterChain
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
import top.zaixia.game.deployment.filter.JwtFilter

@Configuration
class SecurityConfig(
  private val jwtFilter: JwtFilter,
) {
	@Bean
	fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
		http.csrf { it.disable() } // 禁用 CSRF（通常用于 REST API）
		  .sessionManagement { it.sessionCreationPolicy(SessionCreationPolicy.STATELESS) } // 使用无状态 session
		  .authorizeHttpRequests {
			  it
				// 允许校验接口及测试接口
				.requestMatchers("/check/**", "/test/**").permitAll()
				// 其他请求需要认证
				.anyRequest().authenticated()
		  } // 允许所有请求
		  .httpBasic { it.disable() } // 禁用 HTTP Basic 认证
		  .formLogin { it.disable() } // 禁用表单登录
		  .addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter::class.java)
		return http.build()
	}
	
}